Facebook ecommerce plugin used by thousands of stores hacked to steal credit card data

News
By published

pkfacebook is a popular plugin for PrestaShop

Credit card information for sale
(Image credit: Shutterstock)

A Facebook plugin built for the best ecommerce platforms is said to be vulnerable in a way that allows threat actors to steal people’s credit card information, and ultimately - money. 

Security researchers from Friends-of-Presta have warned of an SQL injection vulnerability in pkfacebook, claiming they observed the flaw being abused in the wild. 

Pkfacebook is a plugin for PrestaShop, an open source ecommerce platform that enables individuals and businesses to create and manage their online stores. This plugin allows people to register their accounts and log in, using Facebook, leave feedback on bought items, and communicate with customer support.

Assume everyone's vulnerable

Friends-of-Presta is a community of developers, integrators, agencies, and software publishers. As per their findings, as well as those from cybersecurity researchers TouchWeb, the SQL injection flaw is tracked as CVE-2024-36680. It is being abused by malicious actors to install credit card skimmers on vulnerable websites, allowing them to steal valuable payment information

Promokit, the company that develops and maintains the Facebook plugin, says it fixed it “long ago” but, as BleepingComputer finds, provided no proof for their claims. Right now, some 300,000 online stores are using PrestaShop, but it is impossible to determine how many are vulnerable right now.

Friends-Of-Presta believes all users should consider themselves vulnerable, and should do the following:

Update pkfacebook, make sure they use pSQL to avoid Stored XSS flaws, modify the default “ps_” prefix to a longer, arbitrary one, and activate OWASP 942 rules on the Web Application Firewall. 

Breaking into vulnerable ecommerce sites to steal people’s credit card data is a popular form of cybercrime. MageCart was, at peak, by far the most popular and disruptive credit card-stealing cybercrime group out there. While lately the group has been successfully keeping a low profile, security researchers from Malwarebytes found activity that could be linked to the group, back in May 2023. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
WordPress users targeted by devious new credit card skimmer malware
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
Google system abused by hackers to hijack ecommerce stores
WordPress
Another top WordPress plugin found carrying critical security flaws
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
European Space Agency hack sees official store hijacked to steal customer details
unblock facebook with vpn
A new Facebook phishing campaign looks to trick you with emails sent from Salesforce
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Dell Pro Max with GB300

HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
See more latest
Most Popular
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip